1. Technical Field
The present invention relates to the processing of emergency calls in a wireless communication system which implements fraud detection and handling procedures and, more specifically, to preventing such calls from being blocked due to the implementation of such procedures.
2. Related Prior Art
The prior art includes cellular radio systems which have been operating in the United States and Europe for the last two decades. Cellular telephone service operates much like the fixed, wireline telephone service in homes and offices, except that radio frequencies rather than telephone wires are used to connect telephone calls to and from the mobile subscribers. Each mobile subscriber is assigned a private (10 digit) directory telephone number and is usually billed based on the amount of "airtime" he or she spends talking on the cellular telephone each month. Many of the service features available to landline telephone users (e.g., call waiting, call forwarding, three-way calling, etc.) are also generally available to mobile subscribers. In each market area, mobile subscribers usually have the freedom to subscribe to service from at least two systems. The local system from which service is subscribed is called the "home" system. When travelling outside the home system, a mobile subscriber may be able to obtain service in a distant system if there is a "roaming" agreement between the operators of the home and "visited" systems.
The architecture for a typical cellular radio system is shown in FIG. 1. A geographical area (e.g., a metropolitan area) is divided into several smaller, contiguous radio coverage areas, called "cells", such as cells C1-C10. The cells C1-C10 are served by a corresponding group of fixed radio stations, called "base stations", B1-B10, each of which includes a plurality of radio frequency (RF) channel units (transceivers) that operate on a subset of the RF channels assigned to the system, as well known in the art. The RF channels allocated to any given cell may be reallocated to a distant cell in accordance with a frequency reuse plan as is also well known in the art. In each cell, at least one RF channel, called the "control" or "paging/access" channel, is used to carry control or supervisory messages. The other RF channels are used to carry voice conversations and thus are called the "voice" or "speech" channels. The cellular telephone users (mobile subscribers) in the cells C1-C10 are provided with portable (hand-held), transportable (hand-carried) or mobile (car-mounted) telephone units, collectively referred to as "mobile stations", such as mobile stations M1-M5, each of which communicates with a nearby base station. Each of the mobile stations M1-M5 includes a controller (microprocessor) and a transceiver, as well known in the art. The transceiver in each mobile station may tune to any of the RF channels specified in the system (whereas each of the transceivers in the base stations B1-B10 usually operates on only one of the different RF channels used in the corresponding cell).
With continuing reference to FIG. 1, the base stations B1-B10 are connected to and controlled by a mobile telephone switching office (MTSO) 20. The MTSO 20, in turn, is connected to a central office (not specifically shown in FIG. 1) in the landline (wireline) public switched telephone network (PSTN) 22, or to a similar facility such as an integrated services digital network (ISDN). The MTSO 20 switches calls between wireline and mobile subscribers, controls signalling to the mobile stations M1-M5, compiles billing statistics, stores subscriber service profiles, and provides for the operation, maintenance and testing of the system. An important function of the MTSO 20 is to perform a "handoff" of a call from one base station to another base station B1-B10 as one of the mobile stations M1-M5 moves between cells. The MTSO 20 monitors the quality of the voice channel in the old cell and the availability of voice channels in the new cell. When the channel quality falls below a predetermined level (e.g, as the user travels away from the old base station towards the perimeter of the old cell), the MTSO 20 selects an available voice channel in the new cell and then orders the old base station to send to the mobile station on the current voice channel in the old cell a handoff message which informs the mobile station to tune to the selected voice channel in the new cell.
Access to the cellular system of FIG. 1 by any of the mobile stations M1-M5 is controlled on the basis of a mobile identification number (MIN) and an electronic serial number (ESN) which are stored in the mobile station. The MIN identifies the service subscription and is a binary representation of the 10-digit directory telephone number of the mobile subscriber. The MIN is assigned by the cellular service provider (home system operator) and is usually programmed into a mobile station either when purchased by the original user or when sold to another user (i.e., at the time of service installation). The MINs of valid (paying) subscribers are stored by the MTSO 20. The ESN uniquely identifies the mobile station and is a digital number which is supplied by the manufacturer and permanently stored in the mobile station (i.e., factory-set, not to be altered in the field). The ESNs of mobile stations which have been reported to be stolen can be appropriately marked by the MTSO 20 and denied service permanently.
User authorization for cellular service is usually performed at every system access (e.g., call origination) by a mobile station. When making an access, the mobile station forwards the MIN and ESN to the system. The MTSO 20 maintains a "white list" containing the MIN/ESN pairs of valid home subscribers and a "black list" containing the ESNs of stolen or otherwise unauthorized mobile stations. The MTSO 20 checks the received MIN/ESN pair to determine whether it belongs to a valid home subscriber and, if not, whether the MIN belongs to an authorized "roamer" from another system and whether the ESN has been blacklisted. If the MIN/ESN pair is not valid, or if the MIN is not recognized or if the ESN is blacklisted, the mobile station may be denied access. Otherwise, the user is considered valid and the access is accepted.
The original cellular radio systems, as described generally above, used analog transmission methods, specifically frequency modulation (FM), and duplex (two-way) RF channels in accordance with the Advanced Mobile Phone Service (AMPS) standard. This original AMPS (analog) architecture formed the basis for an industry standard sponsored by the Electronics Industries Association (EIA) and the Telecommunications Industry Association (TIA), and known as EIA/TIA-553. In the middle to late 1980s, however, the cellular industry both in the United States and Europe began migrating from analog to digital technology, motivated in large part by the need to address the steady growth in the subscriber population and the increasing demand on system capacity. The industry thus developed a number of air interface standards which use digital voice encoding (analog-to-digital conversion and voice compression) and advanced digital radio techniques, such as time division multiple access (TDMA) or code division multiple access (CDMA), to multiply the number of voice circuits (conversations) per RF channel (i.e., to increase capacity).
In Europe, the GSM standard, which uses TDMA with "frequency hopping", has been widely implemented. In the United States, the EIA/TIA has developed a number of digital standards, including IS-54(TDMA) and IS-95(CDMA), both of which are "dual mode" standards in that they support the use of the original AMPS analog voice and control channels in addition to digital speech channels defined within the existing AMPS framework (so as to ease the transition from analog to digital and to allow the continued use of existing analog mobile stations). The dual-mode IS-54 standard, in particular, has become known as the digital AMPS (D-AMPS) standard. More recently, the EIA/TIA has developed a new specification for D-AMPS, which includes a digital control channel suitable for supporting data services and extended mobile station battery life. This new specification, which builds on the IS-54B standard (the current revision of IS-54), is known as IS-136.
In addition to providing for a new, digital radio transmission format, many of the newer digital standards (including IS-136 and IS-95) specify the use of an authentication procedure for confirming the identity of mobile stations requesting service in a cellular system. This procedure, which also has been imported into newer analog standards such as IS-91 for narrowband AMPS (N19 AMPS) and Revision A of EIA/TIA-553 (EIA/TIA-553A currently under development), was developed in response to the widespread, fraudulent use of MIN/ESN pairs to steal cellular service from existing analog systems. Many of the mobile stations which have been sold to date do not comply with the tamper-proof requirement for ESN and, consequently, can be easily programmed with a new ESN (there is no tamper-proof requirement for MIN and, hence, all mobile stations can be easily programmed with a new MIN). Thus, these mobile stations can be programmed to transmit any MIN/ESN pair so as to "trick" the system into granting access. Further background on this MIN/ESN "tumbling" and the resultant revenue and service losses can be found in the article entitled "Cellular Fraud" by Henry M. Kowalczyk, in Cellular Business, dated March 1991, at pp. 32-35.
Fraud in the form of MIN/ESN tumbling arose primarily in a "manual roaming" environment where the cellular systems were not interconnected on a real-time basis. Since each MTSO usually contained a list only of valid MIN/ESN pairs belonging to the home subscribers, it did not have immediate access to the counterpart lists in the other systems. Hence, by using a roamer MIN (i.e., a 10-digit directory telephone number containing an area code other than the local area code of the home system operator) and a non-blacklisted ESN, a fraudulent mobile station could receive service from the local cellular system until an indication of the invalidity of the MIN/ESN pair has been received (perhaps hours later) from the home system of the pretending roamer (or from a clearing house). In an "automatic roaming" environment, however, the cellular systems are networked together on a real-time basis in accordance with the provisions of an industry standard such as EIA/TIA standard IS-41 (or through a proprietary signalling protocol). Consequently, the serving cellular system can obtain verification of a MIN/ESN pair from the home system virtually immediately and can, therefore, deny service to a MIN/ESN tumbler without significant delay.
Of more concern recently has been a type of fraud known as "cloning" in which a fraudulent user adopts the bona fide MIN/ESN pair of a valid (paying) subscriber. The fraudulent user may surreptitiously acquire a bona fide MIN/ESN pair, or even a list of valid MIN/ESN pairs, in several ways. For example, in some instances, bona fide MIN/ESN numbers are printed on, and may be read from, a label which is affixed to a mobile station belonging to a valid subscriber. In other instances, a list of bona fide MIN/ESN pairs may be purchased on the "black market" or directly from an employee of the cellular operator. In addition, since each mobile station transmits the MIN/ESN pair to the serving exchange at every system access, one or more bona fide MIN/ESN pairs may be intercepted by listening to radio transmissions on the (analog) control channel.
The cellular industry has developed a number of interim solutions for detecting fraud. For example, current cellular systems monitor suspicious activities indicative of cloning fraud such as when a particular MIN/ESN is shown to be simultaneously engaged in two calls or, alternatively, to have placed two calls from two different locations within a shorter time interval than would be normally required to travel between those locations. However, the long-term solution to the fraud problem is seen to lie in fraud prevention rather than merely fraud detection. The authentication procedures in the newer industry standards aim at fraud prevention by requiring mobile stations to have the proper authentication data (in addition to a proper MIN/ESN) in order to receive service from the system. The authentication data is generated from identical sets of shared secret data (SSD) which are stored and periodically updated in a mobile station and its serving system. The authentication data generated in the mobile station is sent to the serving system to be compared with the internally generated authentication data for the purpose of confirming the identity of the mobile station. Since a clone mobile station is assumed not to have access to the initial value of the SSD or the subsequent history of SSD updates in a valid mobile station, the authentication data sent by the clone mobile station will not match the authentication data in the system, and therefore the system should be able to recognize the clone mobile station and deny it service.
In the process of authentication, the base station generates and sends to the mobile station a random bit pattern, called RAND or RANDU, on the analog control channel (ACCH), digital control channel (DCCH), analog voice channel (AVCH) or digital traffic channel (DTCH). Each of the mobile station and the base station uses RAND or RANDU, a portion of SSD called SSD-A (the remaining portion, SSD-B, is used for encryption, and not for authentication), along with other parameters (e.g., the MIN and ESN of the mobile station) as inputs to a Cellular Authentication and Voice Encryption (CAVE) algorithm, which is defined in Appendix A to each of IS-54B and IS-136, to generate an authentication response called AUTHR or AUTHU (depending on whether RAND or RANDU is used, respectively). The authentication response computed in the mobile station is sent to the base station to be compared with the authentication response computed in the base station. If the authentication responses match, authentication is considered successful (i.e., the base station and the mobile station are considered to have identical sets of SSD). However, if the comparison at the base station fails, the base station may deny service to the mobile station or commence the process of updating the SSD. The procedure for updating SSD for any mobile station involves the generation of a new SSD value through the application of CAVE initialized with mobile station-specific information (ESN), certain random data (RANDSSD), and a secret, permanent authentication key (A-key) which is uniquely assigned to the mobile station.
While the original MIN/ESN screening procedures and the newer authentication procedures are quite useful for effectively dealing with the problem of fraud, those procedures also lead to certain complications in practice. Specifically, those procedures may result in the blocking of an emergency call placed through a mobile station falsely suspected of fraud. As well known in the art, a MIN/ESN or AUTHR/AUTHU mismatch at the system may be caused, for example, by a formatting or transmission error at the mobile station. In that case, a valid subscriber who places an emergency call may be denied service when it is needed the most. Furthermore, even if the MIN/ESN or AUTHR/AUTHU mismatch is truly reflective of the existence of a clone mobile station, it nevertheless may be desirable to complete the emergency call in order to protect the health or welfare of the user of the clone mobile station.
The risk of emergency call blocking is reduced to some extent in certain systems such as those which implement the IS-136 standard. In those systems, a mobile subscriber may initiate an emergency call by pressing an emergency call button in the mobile station which, in turn, sets an emergency call flag in the call origination message from the mobile station to the system. Upon receiving this message, the system will ignore the called party number field in the message and either will not apply the fraud detection procedures to this call or will continue processing the call even if an indication of fraud is detected so as to route the emergency call to the appropriate emergency center. However, there is no provision in those systems for avoiding the blocking of an emergency call placed by dialing an emergency number (e.g., "911") were the call to fail one or more of the checks used by the various fraud detection and/or prevention procedures.